[Nix-dev] store & passwords - once again

Mathijs Kwik mathijs at bluescreen303.nl
Thu Jul 26 15:26:05 CEST 2012


On Thu, Jul 26, 2012 at 3:13 PM, Marc Weber <marco-oweber at gmx.de> wrote:
> >From security point of view: Whether you store ways to decode encrypted
> passwordsin /root/additional-stuff or store the passwords - what is the
> difference? If you're root you can access both.

That's why I wasn't opting for storing a way to decrypt.
But even if you do use a passphrase-less gpg key, accessible by root,
it simplifies handling the rest, because the rest (all secure files
like passwords) can be distributed easily and safely, shared between
stores, channels and such. All you need to setup is the gpg key, which
is a lot simpler than having to sync your secure files between all
machines separately.

>
> I'd even propose a second change:
>
> builtins.__writeArbitraryFile "/root/directory" "text-contents"
>
> Should use a hash function to create a filename and return that based on
> "text-contents". This way new contents will
> yield a different path. Then you can rollback more easily, and
> everything feels little more functional (don't write a file twice if it
> exists - contents should be the same)
>
> I know that that suggestion is not perfect. But a lot better than what
> you can find in media wiki:
>
>     dbPassword = mkOption {
>       default = "";
>       example = "foobar";
>       description = ''
>         The password of the database user.  Warning: this is stored in
>         cleartext in the Nix store!
>       '';
>     };
>
> Marc Weber
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev


More information about the nix-dev mailing list